Mozilla Foundation Security Advisory 2009-55

Crash in proxy auto-configuration regexp parsing

Announced

October 27, 2009

Reporter

Marco C.

Impact

Moderate

Products

Firefox, SeaMonkey

Fixed in

Firefox 3.0.15

Firefox 3.5.4

SeaMonkey 2

Description

Security researcher Marco C. reported a flaw in
the parsing of regular expressions used in Proxy Auto-configuration
(PAC) files. In certain cases this flaw could be used by an attacker
to crash a victim's browser and run arbitrary code on their computer.
Since this vulnerability requires the victim to have PAC configured in
their environment with specific regular expresssions which can trigger
the crash, the severity of the issue was determined to be
moderate.

Workaround

Disable JavaScript until a version containing these fixes can be
installed.